If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

WebGoat and my loaptop

I installed WebGoat on my laptop thats connected to my lan. was running it and.....
Out of cuiosity I went to my desktop and connected to 192.168.0.3 and there was WebGoat....
Laptop is running winxp pro sp2 and zonealarm... desktop ip win98....
So I know that the server on webgoat is insecure by nature...the whole object is to find the security flaws....
QUESTION....should I worry about my laptop being connected to the internet while I'm playing with WebGoat? Is the server open to the net like it is on my LAN?

You can\'t squeeze cheese from a goat before it\'s hatched.............

Well if you have a router then I think you should be able to configure it to drop all requests on the port that WebGoat is listening on... that way you have a good chance to avoid leaving it too much in the open.

yeah....

Thats my concern..... I thought that it was an apache server only accessable to my stand alone laptop.... I have no file sharing on...no remote access on..... and I thought a good firewall.
Turns out that the Apache server is accessable through the LAN...( so accessable through the net?)..
I dont know, I'm gonna do a security scan by sygate or another in the morning, see if any ports are open, mabey scan from another box, I need to go to bed now.
I don't want to have an insecure apache server running on my **** that's open to the world......

You can\'t squeeze cheese from a goat before it\'s hatched.............

Well it's one thing to have it available on the LAN and quite another to be opened to the Internet. The LAN is the 'trusted zone' generally so you can have services that are selectively open.

However it is possible to find out the address of the server and spoof a connection to make it seem as though coming from within the LAN.. it's true it's not the easiest thing ever but, theoretically, it's do-able.

Just test it with as many online scans as you can and see what pops... also you could try fingerprinting yourself... look on Shrekkie's site, he has a NMap front-end you can use to test your local machine.

I guess I'm safe...

I ran every online security scan I could find, scanned myself with nmap, scanned my laptop from my desktop.... all ports and sevices look to be stealthed or unavailable.
So I guess I can stop worrying about running the Apache server while I'm connected to the internet and playing with WebGoat.

Thanks for the replies.

You can\'t squeeze cheese from a goat before it\'s hatched.............

The WebGoat installation is inherently insecure, further along there are lessons on directory traversal and and anyone with access to the login will have root access on your box. Your integrity will get screwed by the command and parameter injection lessons if you allow the server to be over the internet.

Don't let WebGoat have access to the internet. If you can reach the lessons outside of your lan, then you are wide open.

outside the LAN

it doesn'tlook like webgoat can be accessed outside of my lan, and I have my wireless router as locked down as it can get.......wep inabled with a strong string....mac filtered...password protected.....
It wasnt the lan I was woried about, and every scan I did showed me that webgoat and the underlying apache server was not visible on the internet.
I feel safe running this app now. No one seems to have have any security issuses that I havent thought of.

Cheers/

You can\'t squeeze cheese from a goat before it\'s hatched.............